Do the HIPAA Privacy and Security Rules Apply to My Organization?

Part Two: Business Associates

November 27, 2018

Compliance

This article is the second in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA) apply to various legal entities. Part One addressed Covered Entities and appeared in our October 2018 newsletter. This article addresses Business Associates of Covered Entities that are self-insured group health plans.[1]

Quick Recap

Covered Entities are the key stakeholders in the delivery and payment of health care, but they frequently partner with other organizations for assistance. Many of these organizations will need to come into contact with Protected Health Information (PHI) to assist the Covered Entity. Remember, PHI is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
  • Maintained or transmitted in any form.

What’s a Business Associate?

In the group health plan context, HIPAA defines a Business Associate as a third party that requires PHI to perform some function or service on behalf of a group health plan. In other words, a third party that helps make your health plan go but needs PHI to do it. The third party might create, receive, store, or transmit[2] the PHI in this role, but it must be “PHI sticky” in at least one of those ways to be considered a Business Associate. Many of HIPAA’s Privacy and Security requirements apply directly to Business Associates.

Typical Business Associates for a Self-Insured Group Health Plan

Yes

No

Maybe So

  • Third party administrator (TPA) including pharmacy benefit manager
  • COBRA administrator (more about this below)
  • Broker/consulting firm
  • Actuaries
  • Record keepers (e.g. Iron Mountain or other third parties storing physical electronic records with PHI)
  • Other cloud service providers such as Google if Gmail is used as the email system
  • Plan sponsor/employer
  • Stop-loss carrier (more about this below)

 

  • External legal counsel
  • Accountants if will see PHI in connection with an audit or review

 

 

 

 

COBRA Administrators
If a COBRA administrator merely receives enrollment and disenrollment information from the employer (as plan sponsor), the information it receives is not PHI and the COBRA administrator is not technically a Business Associate of the group health plan. The nature and source of the information provided is easily blurred between the employer and group health plan, and it’s common for COBRA administrators to agree to be treated as Business Associates.

The Curious Case of Stop-Loss
The Rules indicate that stop-loss carriers are not Business Associates of a group health plan when the stop-loss policy insures the plan itself. The Rules are less clear about the more likely scenario where the stop-loss policy insures the employer/plan sponsor directly.  In practice, stop-loss carriers are often reluctant to be treated as Business Associates and are frequently excluded.  We recommend employers enter into robust non-disclosure agreements with stop-loss carriers not treated as Business Associates.

Business Associate Contracts

Your organization’s group health plan is required to enter into a contractual agreement with all of your Business Associates outlining how the Business Associate may use and disclose PHI, how it will secure PHI, and other rights and obligations the parties have under the Rules.[3] The Department of Health and Human Services (DHHS) has provided sample  business associate contract language. Among other items, the contract must include language addressing the parties’ responsibilities when unsecured PHI is improperly used or disclosed (a “breach”). Your organization has a limited amount of time to investigate and respond to a breach.

As a practical matter, it is the employer (as plan sponsor) who must secure the contract for all of the plan’s Business Associates, but Business Associates will often supply their version of this contract to the employer without being prompted. It is in each party’s best business interest to use a standardized contract for administrative ease rather than having to honor the commitments of contracts from different sources, so there is a natural tension between the parties who each favor their own contracts. The requirements for a Business Associate contract are pretty standard, but it is not unusual for the contract to be more favorable toward the drafting party or to include additional contractual terms beyond what the Rules require, so it is important to have this reviewed by your legal counsel.

Subcontractors
Sometimes Business Associates contract with other organizations to perform one or more functions the Business Associate was hired to perform for the group health plan (“subcontractors” who are also PHI sticky), and there is no direct relationship between the health plan and the subcontractor. Your Business Associate must represent in the Business Associate contract that they have with your organization that it has a contract in place with its subcontractor that provides for all of the same protections under the Rules with respect to any PHI related to your health plan.

Example – A self-insured medical plan engages a TPA for claims administration and other services. One of these services is claims monitoring to reduce fraud, waste, and abuse.  The claims monitoring services are actually provided by a subsidiary of the TPA, and the medical plan does not have a direct contract with the claims monitoring subsidiary. The TPA is a Business Associate of the medical plan. The claims monitoring entity is a Business Associate of the TPA and should be addressed as a subcontractor within the Business Associate contract between the medical plan and the TPA.

Next Steps

You should always know who your Business Associates are and should make sure you have a list of all the current vendors who provide services related to your health plans. Of these vendors, which ones use PHI to perform a function on behalf of a group health plan?

These are your Business Associates, and you should maintain current Business Associate contracts with all of them. Don’t forget to make this an implementation step when adding a new vendor who will be a Business Associate to your health plan(s).

[1] In Part One, we addressed that insurance carriers are the Covered Entities for fully-insured group health plans and that employers/plan sponsors generally have few obligations under the Rules for those plans.

[2] A third party that only transmits PHI without accessing or storing it may qualify for an exception as a mere conduit of the information.

[3] A failure to enter into the contract does not mean the third party is not your Business Associate and just subjects you to potential penalties for non-compliance.

Linkedin Facebook Twitter Email
, ,

About Chris Beinecke

Christopher Beinecke, J.D., LL.M. has joined MMA in the newly created position of EH&B National Compliance Leader to oversee this effort. Chris is a highly skilled legal practitioner with deep knowledge and years of experience in the areas of compliance and administrative best practices for health and welfare benefit programs. Chris’s legal experience is vast and diverse. Most recently, with the employee benefits practice at international corporate law firm Haynes and Boone, LLP. Prior to that, Chris was a senior compliance consultant for 10 years at Towers Watson and played a major role in the development of the firm’s U.S. health and welfare compliance practice. Chris also worked as an employee benefits lawyer in private practice before entering consulting. Chris received his J.D. from Ohio State University Moritz College of Law, and an LL.M. in taxation from Washington University in St. Louis School of Law. He also holds a B.S. in finance from Miami University Ohio. Chris is licensed to practice in both Texas and Missouri, and is admitted to the U.S. Tax Court.

View all posts by Chris Beinecke

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.